Skip to content
A command-line fuzzer for the Apache JServ Protocol (ajp13)
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

AJPFuzzer - A command-line fuzzer for AJPv1.3

AJPFuzzer is a rudimental fuzzer for the Apache JServ Protocol (ajp13).

Built on top of libajp13, the tool allows you to create and send AJP messages using an easy-to-use command line interface. AJPFuzzer can craft properly formatted AJP13 messages (all message types) as well as mutations (e.g. bit flipping, messages with type mismatch, etc.), which facilitates security testing efforts targeting AJP-based services like web servers AJP modules, J2EE containers, and many others.

How To Use it

  1. Download the latest AJPFuzzer jar from the releases page

  2. Execute the downloaded jar using:

     $ java -jar ajpfuzzer_v0.6.jar
  3. The tool will prompt a shell. By typing ?list, it is possible to list all available commands. At this point, you can connect to the target using:

     AJPFuzzer> connect 8009
  4. Then, you can send a CPing message (type 10) by simply typing '10' (no arguments are needed for this message)

     AJPFuzzer/> 10

The following screenshot illustrates the entire execution:

CPing message using AJPFuzzer

Obviously, it is possible to send more complex messages by specifying the appropriate test case and arguments. Please refer to ?list for all details on a specific command.

For example, we can send a fully customized ForwardRequest type message using:

> forwardrequest 2 "HTTP/1.1" "/api/" localhost porto 8009 false "Cookie:AAAA=BBBB" ""

ForwardRequest message using AJPFuzzer

Available test cases and further customization.

As of today, AJPFuzzer provides the following test cases:

Id Name Description
1 body Send a body message from the web server to the J2EE container
2 forwardrequest Begin the request processing cycle from the web server to the J2EE container
3 sendbodychunk Send a chunk of the body from the J2EE container to the web server
4 sendheaders Send the response headers from the J2EE container to the web server
5 endresponse Mark the end of the response, from the J2EE container to the web server
6 getbodychunk Get further data from the requestor. Message from the J2EE container to the web server
7 shutdown Send a standard shutdown AJP13 packet
8 ping Send a ping (ping != CPing) AJP13 packet
9 cpong Send a CPong AJP13 packet
10 cping Send a CPing AJP13 packet
11 forwardreqalltypes Send a ForwardRequest AJP13 packet, with all possible packet types
12 verbtampering Send multiple requests via AJP13 and do HTTP Verb Tampering, to detect potential authentication bypass flaws
13 jettyleak Send a JettyLeak style AJP13 packet
14 hugelengthsmallbody Send ForwardRequest+Body messages, with a big Content-Length and small Body
15 hugeheader Send two AJP13 ForwardRequest packets with header length greater than 0x9999 (e.g. A010)
16 fuzzbit Create a complex AJP13 ForwardRequest and start bit flipping
17 fuzzslice Create an AJP13 ForwardRequest, SendHeaders, ShutDown, 0xFF, 0x00. Slice and send.
18 servletpath Create an AJP13 ForwardRequest with arbitrary 'servlet_path' attribute
19 bypassauthnull Create two AJP13 ForwardRequest with auth_type set to 'null'
20 envars Create an AJP13 ForwardRequest with req_attribute_code (10) in order to set arbitrary environmental variables
21 hugepacketsize Create two AJP13 requests with size > 8192 bytes
22 dirtraversal Create an AJP13 ForwardRequest (GET) with multiple directory traversal payloads

New test cases can be added by extending the class. Using the @Command annotation, the tool will recognize the additional command and make it available from the CLI.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.